From dd949d5f529c37f6366f5ec6e57e8ad77cf82190 Mon Sep 17 00:00:00 2001
From: Leonhard Mayr <leonhard.mayr@manz.at>
Date: Thu, 19 Oct 2023 16:12:11 +0200
Subject: [PATCH] Add HSTS headers to www redirects

Signed-off-by: Leonhard Mayr <leonhard.mayr@manz.at>
---
 rootfs/etc/nginx/template/nginx.tmpl      |  5 +++++
 test/e2e/annotations/fromtowwwredirect.go | 11 +++++++++++
 2 files changed, 16 insertions(+)

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index d58be2880..c71257bcb 100644
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -629,6 +629,11 @@ http {
             {{ end }}
         }
 
+        header_filter_by_lua_block {
+            lua_ingress.header()
+            plugins.run()
+        }
+
         return {{ $all.Cfg.HTTPRedirectCode }} $redirect_to;
     }
     ## end server {{ $redirect.From }}
diff --git a/test/e2e/annotations/fromtowwwredirect.go b/test/e2e/annotations/fromtowwwredirect.go
index b69cce93e..3a72778dd 100644
--- a/test/e2e/annotations/fromtowwwredirect.go
+++ b/test/e2e/annotations/fromtowwwredirect.go
@@ -120,5 +120,16 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() {
 			Expect().
 			Status(http.StatusOK).
 			Header("ExpectedHost").Equal(fromHost)
+
+		ginkgo.By("responding with an HSTS header")
+		f.HTTPTestClientWithTLSConfig(&tls.Config{
+			InsecureSkipVerify: true, //nolint:gosec // Ignore the gosec error in testing
+			ServerName:         fromHost,
+		}).
+			GET("/").
+			WithURL(f.GetURL(framework.HTTPS)).
+			WithHeader("Host", fromHost).
+			Expect().
+			Headers().ContainsKey("Strict-Transport-Security")
 	})
 })